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Abstract. Recently, several public key exchange protocols based on 
symbolic computation in non-commutative (semi)groups were proposed 
as a more efficient alternative to well established protocols based on nu- 
meric computation. Notably, the protocols due to Anshel-Anshel-Goldfeld 
and Ko-Lee et al. exploited the conjugacy search problem in groups, which 
is a ramification of the discrete logarithm problem. However, it is a preva- 
lent opinion now that the conjugacy search problem alone is unlikely to 
provide sufficient level of security no matter what particular group is 
chosen as a platform. 

In this paper we employ another problem (we call it the decomposition 
problem), which is more general than the conjugacy search problem, and 
we suggest to use R. Thompson's group as a platform. This group is 
well known in many areas of mathematics, including algebra, geometry, 
and analysis. It also has several properties that make it fit for crypto- 
graphic purposes. In particular, we show here that the word problem in 
Thompson's group is solvable in almost linear time. 



1 Introduction 

One of the possible generalizations of the discrete logarithm problem to arbi- 
trary groups is the so-called conjugacy search problem: given two elements a, b 
of a group G and the information that a x = b for some x £ G, find at least one 
particular clement x like that. Here a x stands for x^ax. The (alleged) compu- 
tational difficulty of this problem in some particular groups (namely, in braid 
groups) has been used in several group based cryptosystems, most notably in 
P and It seems however now that the conjugacy search problem alone is 
unlikely to provide sufficient level of security; see [7] and |S] for explanations. 

In this paper we employ another problem, which generalizes the conjugacy 
search problem, but at the same time resembles the factorization problem which 
is at the heart of the RSA cryptosystem. This problem which some authors (see 
e.g. 0)0) cai l the decomposition problem is as follows: 

Given an element w of a (semi)group G, a subset A C G and an element 
x ■ w ■ y, find elements x' , y' € A such that x' ■ w ■ y' = x ■ w ■ y. 
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The conjugacy search problem (more precisely, its subgroup-restricted version 
used in [Sj) is a special case of the decomposition problem if one takes x = y^ 1 . 

The usual factorization problem for integers used in the RSA cryptosystem is 
also a special case of the decomposition problem if one takes w = 1 and G — Z*, 
the multiplicative (semi)group of integers modulo p. It is therefore conceivable 
that with more complex (semi)groups used as platforms, the corresponding cryp- 
tosystem may be more secure. At the same time, in the group that we use in 
this paper (R. Thompson's group), computing (the normal form of) a product 
of elements is faster than in Z* . 

A key exchange protocol based on the general decomposition problem is quite 
straightforward (see e.g. 0): given two subsets A, B C G such that ab = ba for 
any a £ A, b £ B, and given a public element w £ G, Alice selects private 
a\,a2 £ A and sends the element a\wa2 to Bob. Similarly, Bob selects private 
61,62 £ B and sends the element b\wb2 to Alice. Then Alice computes Ka = 
a\b\wb2a2, and Bob computes Kb = b\a\wa2b2- Since aibi = biCLi in G, one has 
Ka = Kb = K (as an element of G), which is now Alice's and Bob's common 
secret key. 

In this paper, we suggest the following modification of this protocol which 
appears to be more secure (at least for our particular choice of the platform) 
against so-called "length based" attacks (see e.g. 0], [5]), according to our ex- 
periments (see our Section I2J ■ Given two subsets A,B C G such that ab = ba 
for any a £ A, b £ B, and given a public element w £ G, Alice selects private 
(X\ £ A and b\ £ B and sends the element a\wb\ to Bob. Bob selects private 
62 £ B and 02 £ A and sends the element 62^02 to Alice. Then Alice computes 
Ka — ai&2wa2&i, an d Bob computes Kb = b2a\wbia2- Since = 6^ in G, 
one has Ka = Kb = K (as an element of G), which is now Alice's and Bob's 
common secret key. 

The group that we suggest to use as the platform for this protocol is Thomp- 
son's group F well known in many areas of mathematics, including algebra, 
geometry, and analysis. This group is infinite non-abelian. For us, it is impor- 
tant that Thompson's group has the following nice presentation in terms of 
generators and defining relations: 

F = (x ,Xx,x 2 ,.. ■ I x~ x x k Xi = x k+1 (k > i)}. (1) 

This presentation is infinite. There are also finite presentations of this group; 
for example, 

F = (x ,xi,X2,x 3 ,X4, I x~ x x k Xi = x k +i (k>i, k < 4)), 

but it is the infinite presentation above that allows for a convenient normal form, 
so we are going to use that presentation in our paper. 

For a survey on various properties of Thompson's group, we refer to [2]. Here 
we only give a description of the "classical" normal form for elements of F. 

The classical normal form for an element of Thompson's group is a word of 
the form 

Xi 1 ■ ■ ■ Xi s Xj t . . . Xj 1 , (2) 



such that the following two conditions are satisfied: 
(NF1) h < ... < i s and ji < . . . < jt 

(NF2) if both x$ and x~ x occur, then either Xi+i or x^r-y occurs, too. 

We say that a word w is in seminormal form if it is of the form @ and 
satisfies (NF1). 

We show in Section 0] that the time complexity of reducing a word of length 
n to the normal form in Thompson's group is 0{\n\ log |n|), i.e., is almost linear 
in n. 

Another advantage of cryptographic protocols based on symbolic computa- 
tion over those based on computation with numbers is the possibility to generate 
a random word one symbol at a time. For example, in RSA, one uses random 
prime numbers which obviously cannot be generated one digit at a time but 
rather have to be precomputed, which limits the key space unless one wants to 
sacrifice the efficiency. We discuss key generation in more detail in our Section 
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2 The protocol 

Let F be Thompson's group given by its standard infinite presentation Q and 
s € N a positive integer. Define sets A s and B s as follows. The set A s consists 
of elements whose normal form is of the type 

Xi^ . . . Xi m Xj^ . . . Xj_^ , 

i.e. positive and negative parts are of the same length m, and 

ik — k < s and jk — k < s for every k = 1, . . . , s. (3) 

The set B s consists of elements represented by words in generators x s+ i , x s+ 2 , ■ ■ ■■ 
Obviously, B s is a subgroup of F. 

Proposition 1. Let a S A s and b £ B s . Then ab = ba in the group F. 

Proof. Let a — Xi 1 . . . Xi m xJ^ . . . xj ± and b — . . . x^' where k q > s for every 
q = 1, . . . , I. By induction on I and m it is easy to show that in the group F one 
has 

ab = ba = Xi l ... x lm 5 m {b)xj^ . . . xj x , 

where 8m is the operator that increases indices of all generators by M (see also 
our Section 0}. This establishes the claim. 



Proposition 2. Let s > 2 be an integer. The set A s is a subgroup of F generated 
by XqX^ 1 , . . . , xqxJ 1 . 

Proof. The set A s contains the identity and is clearly closed under taking inver- 
sions, i.e., A s — A^ 1 . To show that A s is closed under multiplication we take 
two arbitrary normal forms from A s : 

_ -l -l 

and 

V X pi . . . Xp [ X qi . . . X qi 

and show that the normal form of uv belongs to A s . First, note that since the 
numbers of positive and negative letters in uv are equal, the lengths of the 
positive and negative parts in the normal form of uv will be equal, too (see the 
rewriting system in the beginning of our Section . Thus, it remains to show 
that the property @ of indices in the normal form of uv is satisfied. Below we 
sketch the proof of this claim. 

Consider the subword in the middle of the product uv marked below: 

UV Xi 1 . . . Xi m ( K %j m • • ■ %j 1 ^Cpi • • ■ £pi ) •^q l • • ■ % q 1 

and find a seminormal form for it using relations of F (move positive letters to 
the left and negative letters to the right starting in the middle of the subword). 
We refer the reader to Algorithm [3 in Section 0] for more information on how 
this can be done. Denote the obtained word by w. The word w is the product 
of a positive and a negative word: w = pn. By induction on I + m one can show 
that both p and n satisfy the condition @ . 

Then we find normal forms for words p and n using relations of F (for p move 
letters with smaller indices to the left of letters with bigger indices, and for n 
move letters with smaller indices to the right of letters with bigger indices). By 
induction on the number of operations thus performed, one can show that the 
obtained words p' and n' satisfy the condition Q- Therefore, the word w' = p'n' 
is a seminormal form of uv satisfying the condition ©. 

Finally, we remove those pairs of generators in w' that contradict the property 
(NF2) (we refer the reader to our Algorithm [S] for more information). Again, 
by induction on the number of "bad pairs" , one can show that the result will 
satisfy the condition Q). Therefore, uv belongs to A s , i.e., A s is closed under 
multiplication, and therefore, A s is a subgroup. 

Now we show that the set of words {xoXi , . . . jXqx^ 1 } generates the sub- 
group A s . Elements {xqx^ 1 , . . . , xqxJ 1 } clearly belong to A s . To show the inclu- 
sion A s < (xqXi 1 , . . . , xqxJ 1 ), we construct the Schreier graph of (xqx^ 1 , . . . , xqxJ 1 ) 
(depicted in Figure^ and see that any word from A s belongs to the subgroup 
on the right. 

Now we give a formal description of the protocol based on the decomposition 
problem mentioned in the Introduction. 



Fig. 1. The Schreier graph of the subgroup H = (x x 1 xqx s 1 ). The black 

dot denotes the right coset corresponding to H. 

(0) Fix two positive integers s, M and a word w = w(xq, x\, . . .). 

(1) Alice randomly selects private elements a\ £ A s and b\ e B s . Then she 
reduces the element a\wb\ to the normal form and sends the result to Bob. 

(2) Bob randomly selects private elements b 2 € B s and a 2 G A s . Then he reduces 
the element b 2 wa 2 to the normal form and sends the result to Alice. 

(3) Alice computes Ka = a\b 2 wa 2 b\ = b 2 aiwb\a 2 , and Bob computes Kb = 
b 2 a\wb\a 2 . Since aibi = biCii in F, one has Ka = Kb — K (as an element of F), 
which is now Alice's and Bob's common secret key. 

3 Parameters and key generation 

In practical key exchange we suggest to choose the following parameters. 

(1) Select (randomly and uniformly) the parameter s from the interval [3, 8] and 
the parameter M from the set {256, 258, . . . , 318, 320}. 

(2) Select the "base" word w as a product of generators 

S w = {xo, xi, • • • , x s+2 } 

and their inverses. This is done the following way. We start with the empty word 
vq. When we have a current word Vi, we multiply it on the right by a generator 
from Sg 1 and compute the normal form of the product. The obtained word 
is denoted by Uj+i. We continue this process until the obtained word t^+i has 
length M. 

(3) Select a\ and a 2 as products of words from 

S A = {£02h 1 : ■ ' ■ ^O^r 1 } 

and their inverses. This is done essentially the same way as above for w. We start 
with the empty word uq. Let Ui be the currently constructed word of length less 
than M, We multiply u, on the right by a randomly chosen word from S^ 1 and 
compute the normal form of the product. Denote the obtained normal form by 
Ui+i. Continue this process until the obtained word Uj+i has length M. 



(4) Select bi and b 2 as products of generators from 



Sb = {x s+ i,x s+ 2, ■ ■ ■ ,x 2s } 

and their inverses. To do that, start with the empty word vq. Multiply a current 
word Vi on the right by a generator from Sg 1 and compute the normal form of 
the product. Denote the obtained word by i>j+i. Continue this process until the 
obtained word Vj+i has length M. 

We would like to point out that the key space in the proposed scheme is 
exponential in M; it is easy to see that |A S (M)| > y/2 . 

The parameters above were chosen in such a way to prevent a length-based 
attack. Note that for Thompson's group, a length-based attack could be a threat 
since the normal form of any element represents a geodesic in the Cayley graph 
of F. Since ideas behind length-based attacks were never fully described, we 
present below a typical algorithm (adapted to our situation) implementing such 
an attack (Algorithm [TJ . 

Define a directed labelled graph r = (V(r), E(r)) as follows: 

— The set of vertices V(r) corresponds to the set of all elements of the group 
F. 

— The set of edges E{r) contains edges v% ' -^-> 2 ^ v 2 such that v 2 — w\V\w 2 in 
the group F, with labels of two types: 

• (wi, 1), where u>i € Sjr 1 . 

• (1,102), where w 2 G Sg 1 . 

For an element w £ F denote by r w the connected component of r containing w. 
From the description of the protocol it follows that w and the element w' — a\wb\ 
transmitted by Alice to Bob belong to r w = r w /, and breaking Alice's key is 
equivalent to finding a label of a path from w to w' in r w . 

To test our protocol, we performed a series of experiments. We randomly 
generated keys (as described above) and ran Algorithm ^ (see below) on them. 
Algorithm n keeps constructing r w and r w ' until a shared element is found. The 
sets S w and S w > in the algorithm accumulate constructed parts of the graphs 
r w and r w r. The sets M w c S w and M w i C S w > are called the sets of marked 
vertices and are used to specify vertices that are worked out. 

Algorithm 1 (Length-based attack) 

Input. The original public word w and the word w' transmitted by Alice. 
Output. A pair of words x\ £ Sa> %2 € Sb such that w' = x\wx 2 - 
Initialization. Put S w = {w}, S w > = {w'}, M w = 0, M w > = 0. 
Computations. 

A. Find a shortest word u £ S w \ M w . 

B. Multiply u by elements S^ 1 on the left and by elements S^ 1 on the right and 
add each result into S w with the edges labelled accordingly. 

C. Add u into M w . 



D. Perform the steps A-C with S w and M w replaced by S w i and M w > , respec- 
tively. 

E. If S w n S w i = then goto A. 

F. If there is w G S w n S w i then find a path in S w from w to w and a path in 
S w ' from W to w' . Concatenate them and output the label of the result. 

We performed a series of tests implementing this length-based attack; in each 
test we let the program to run overnight. None of the programs gave a result, 
i.e., the success rate of the length-based attack in our tests was 0. 

4 The word problem in Thompson's group 

In this section, we show that the time complexity of reducing a word of length n 
to the normal form in Thompson's group F is 0(|n| log \n\), i.e., is almost linear 
in n. Our algorithm is in two independent parts: first we reduce a given word 
to a seminormal form (Algorithm 01 , and then further reduce it to the normal 
form by eliminating "bad pairs" (Algorithm [SJ. We also note that crucial for 
Algorithm 0| is Algorithm [21 which computes a seminormal form of a product of 
two seminormal forms. Our strategy for computing a seminormal form of a given 
w G F is therefore recursive ("divide and conquer"): we split the word w into 
two halves: w = W1W2, then compute seminormal forms of ui\ and W2, and then 
use Algorithm El to compute a seminormal form of w. 

Recall that Thompson's group F has the following infinite presentation: 



The classical normal form for an element of Thompson's group (see for 
more information) is described in the Introduction. 

Let us denote by p(w) the normal form for w G F; it is unique for a given 
element of F. Recall that we say that a word w is in seminormal form if it is 
of the form J3J) and satisfies (NF1) (see the Introduction). A seminormal form 
is not unique. As usual, for a word w in the alphabet X by w we denote the 
corresponding freely reduced word. 

As mentioned above, the normal form for an element of Thompson's group 
can be computed in two steps: 

1) Computation of a seminormal form. 

2) Removing "bad pairs", i.e., pairs {xi^x^ 1 ) for which the property (NF2) 



The first part is achieved (Lemma ^) by using the following rewriting system 
(for all pairs (i, k) such that i < k): 



F = (x ,xi,X2, ■■■\x l 1 x k x i = x k+ i (k > i)). 



fails. 



X k Xi 




1 



1 



and, additionally, for all 2 € N 




1 



We denote this system of rules by 1Z. It is straightforward to check (using the 
confluence test, see ^3 Proposition 3.1]) that 1Z is confluent. The following 
lemma is obvious. 

Lemma 1. 1Z terminates with a seminormal form. Moreover, a word is in a 
seminormal form if and only if it is IZ-reduced. 

Let us now examine the action of 1Z more closely. This action is similar to 
sorting a list of numbers, but with two differences: indices of generators may 
increase, and some generators may disappear. 

By Lemma^] for any word w in generators of F, the final result of rewrites by 
1Z is a seminormal form. Therefore, to compute a seminormal form we implement 
rewrites by 1Z. We do it in a special manner in Algorithra|3]in order to provide the 
best performance. For convenience we introduce a parametric function 5 S , e £ Z, 
defined on the set of all words in the alphabet {x^ 1 ,xf x , . . .} by 



The function 5 S may not be defined for some negative e on a given word 
w = wfx^ 1 ", x^ 1 . . . .), but when it is used, it is assumed that the function is 
defined. 

4.1 Merging seminormal forms 

Consider first the case where a word hi is a product of w\ and W2 given in 
seminormal forms. Let w\ — p\n\ and W2 = P2n 2 , where pi and ni {i = 1,2) 
are the positive and negative parts of Wi. Clearly, one can arrange the rewriting 
process for p\n\pini by 7Z the following way: 

1) Rewrite the subword nip2 of w to a seminormal form p^n'i- Denote by w' — 
PiP2 n -i'^2 the obtained result. 

2) Rewrite the positive subword pip' 2 of w' to a seminormal form p. Denote by 
w" = pn[n2 the obtained result. 

3) Rewrite the negative subword ril^ni of w" to a seminormal form n. Denote 
by uu'" = pn the obtained result. 

The word w'" = pn is clearly in a seminormal form and w —f w 1 " . This process 
can be depicted as follows: 



Pi nip 2 n 2 




pn 



The next algorithm performs the first rewriting step from the scheme above, 
and the following Lemma |3 asserts that it correctly performs the first step in 
linear time. 

Algorithm 2 (Seminormal form of a product of negative and positive seminor- 
mal forms) 

Signature, w = Merge- !+ (n,p,ei,e 2 ). 

Input. Seminormal forms n and p (where n — xj^ . . . xj' and p = Xi x . . . Xi s ), 
and numbers £1, £2 S Z. 

Output. Seminormal form w such that w =f S £l (n)5 £2 (p). 
Computations. 

A) If s = or t = then output a product np. 

B) If ji + £1 = i\ + £2 then 

1 ) Compute w — Merge-^+(xJ t 1 . . . xj 2 , Xi 2 . . . Xi s , £1, £2). 

2) Output w. 

C) If ji + £1 < ii + £2 then 

1 ) Compute w = Merge-_ + (xJ t 1 . . . xj^, x.i 1 . . . x.i s , £1, £2 + 1). 

2) Output wx~ i 1 +£i . 

D) If ji + £1 > i\ + £2 then 

1) Compute w = Merge- ,+ ixJ^ ■ ■ ■ xj^ , Xi 2 . . .Xi s ,£\ + 1, £2). 

2) Output Xi 1 + 62 w . 

Lemma 2. For any seminormal forms n and p (where n = x7^ . . .xj t and 
p = Xi t . . . Xi s ) and numbers e±, £2 € Z the output w = Merge-. , £1, £2) 
of Algorithm^ is a seminormal form for S ei (n)S £2 (p). Furthermore, the time 
complexity required to compute w is bounded by C(\n\ + \p\) for some constant 
C. 

Proof. Since in each iteration we perform the constant number of elementary 
steps and in each subsequent iteration the sum \n\ + \p\ is decreased by one, the 
time complexity of Algorithm [2] is linear. 

We prove correctness of Algorithm |21 by induction on \n\ + \p\. Assume that 
\n\ + \p\ = 0. Then at step A) we get output w = np which is an empty word. 
Clearly, such w is a seminormal form for np, so the base of induction is done. 

Assume that |n| + |p| = N+ 1 and for any shorter word the statement is true. 
Consider four cases. If |n| = or \p\ = then one of the words is trivial and, 
obviously, the product np is a correct output for this case. If ji +£1 = i\ +£2 then 
x Ji+ei x ii+e 2 cancels out inside of the product S £1 (n)S e2 (p), and by the inductive 
assumption we are done. 

If ji + £1 < i\ + £2 then j\ + £1 is the smallest index in S ei (n)S e2 (p) and 
therefore, using TZ, the word 5 £l (n)S £2 (p) can be rewritten the following way: 

S ei (jl)5 £2 (p) = x j t -i r£l ■ ■ ■ X j 2 + £l X j 1 + £l X il+£l ■ ■ - X i s +S2 > 
K -1 -1 -1 

X jt+£i ■ ■ ■ X j 2 +ei Xi i+£i + 1 ■ ■ ■ x is+e 2 + l x 3l + £l 



Note that since j\ + e% is the smallest index in 6 El (n)5 £2 (p), the smallest index 
in w = M erge^.+ (xj t 1 . . . x" 1 , x% 2 ■ ■ ■ Xi g , £1, £2) is not less than j\ + S\. By the 
inductive assumption, w is a seminormal form for S £l {x~^ . . . x~ 2 1 )S £2 (xj 2 . . . Xi 3 ). 
Therefore, wx J 1 1 + £2 +i = f S £l (n)S £2 (p) and it is a seminormal form. 
The last case where j\ + E\ > i\ + e 2 is treated similarly. 

Using ideas from Algorithm [5] one can easily implement an algorithm merg- 
ing positive words and an algorithm merging negative words, so that state- 
ments similar to Lemma would hold. We will denote these two algorithms by 
Merge_ i _(ni, ri2, £i, £2) and Merge+ i +(p±,p2, £1, £2), respectively. Thus, com- 
putation of a seminormal form of a product of two arbitrary seminormal forms 
has the following form. 

Algorithm 3 (Seminormal form of a product of seminormal forms) 

Signature, w = Merge(wi,w 2 )- 

Input. Seminormal forms w\ andwi- 

Output. Seminormal form w such that w =p w\W2- 

Computations. 

A) Represent Wi as a product of a positive and negative word (w% = p\n\ and 
w 2 =Pin 2 ). 

B) Compute w' — Merge- t +(ni, p 2 , 0, 0) and represent it as a product of a 
positive and negative word w' — p 2 n i- 

C) Compute w" = Merge+,+ (pi,p' 2 , 0, 0). 

D) Compute w'" = Merge- t -(n' ly n 2 , 0, 0). 

E) Output w"w"'. 

Lemma 3. For any pair of seminormal forms w\ and w 2 the word w — Merge(wx, 
is a seminormal form of the product W\W 2 . Moreover, the time- complexity of 
computing w is bounded by C(\w\\ + \w 2 \) for some constant C. 

Proof. Follows from Lemma |3 

4.2 Seminormal form computation 

Algorithm 4 (Seminormal form) 

Signature, u = SemiNormalForm,(w). 

Input. A word w in generators of F. 

Output. A seminormal form u such that u — w in F. 

Computations. 

A) If \w\ < 1 then output w. 

B) Represent w as a product w±w 2 such that \w± \ — \w 2 \ < 1. 

C) Recursively compute 

ui = SemiNormalForm(wi) and 
u 2 = SemiNormalForm{w 2 ). 

D) Let u = Merge(ui, u 2 ). 



E) Output u. 



Lemma 4. Let w be a word in generators of F. The output of Algorithm^ on 
w is a seminormal form for w. The number of operations required for Algorithm 
^to terminate is 0(C\w\ log \w\), where C is a constant independent of w. 

Proof. The first statement can be proved by induction on the length of w. The 
base of the induction is the case where \w\ = 1. In this case w is already in a 
seminormal form, and the output is correct. The induction step was proved in 
Lemma 01 

To prove the second statement we denote by T(n) the number of steps re- 
quired for Algorithm 0] to terminate on an input of length n. Then clearly 

T{n) = 2T{~)+C-n, 

where the last summand C ■ n is the complexity of merging two seminormal forms 
with the sum of lengths at most \n\. It is an easy exercise to show that in this 
case T(n) = 0(C ■ nlogn). 

4.3 Normal form computation 

The next lemma suggests how a pair of generators contradicting the property 
(NF2) can be removed and how all such pairs can be found. 

Lemma 5. Let w — x;, . . . Xi xj 1 . . . xj 1 be a seminormal form, fx,- .xj 1 ) be 
the pair of generators in w which contradicts (NF2), where a and b are maximal 
with this property. Let 

W = Xi x . . . Xi a _ 1 5-i(Xi a+1 . . . Xi s Xj t . . . x j b+1 ) x j b _ 1 ■ ■ • x j 1 ■ 

Then w' is in a seminormal form and w —f w'. Moreover, if (xi c , xj^ ) is the 
pair of generators in w' which contradicts (NF2) (where a and b are maximal 
with this property), then c < a and d < b. 

Proof. It follows from the definition of (NF2) and seminormal forms that all 
indices in Xi a+1 . . . Xi^xJ^ . . . xj are greater than i a + 1 and, therefore, indices 
in S-i(xi a+1 . . . Xi 3 x~^ . . . %J b+1 ) are greater than i a . Now it is clear that w' is a 
seminormal form. Then doing rewrites opposite to rewrites from 1Z we can get 
the word w' from the word w. Thus, w =p w' . 

There are two possible cases: either c > a and d > b or c < a and d < b. 
We need to show that the former case is, in fact, impossible. Assume, by way 
of contradiction, that c > a and d > b. Now observe that if (xi a , x" 1 ) is a pair 
of generators in w contradicting (NF2), then (xi a+e , xj b \ e ) contradicts (NF2) in 
6 e (w). Therefore, inequalities c> a and d > b contradict the choice of a and b. 



By Lemma we can start looking for bad pairs in a seminormal form start- 
ing from the middle of a word. The next algorithm implements this idea. The 
algorithm is in two parts. The first part finds all "bad" pairs starting from the 
middle of a given w, and the second part applies 5 e to segments where it is re- 
quired. A notable feature of Algorithm [5] is that it does not apply the operator 
5_i immediately (as in w' of Lemma |5J when a bad pair is found, but instead, it 
keeps the information about how indices must be changed later. This informa- 
tion is accumulated in two sequences (stacks), one for the positive subword of 
w, the other one for the negative subword of w. Also, in Algorithm^ the size of 
stack Si (or S2) equals the length of an auxiliary word wi (resp. 102)- Therefore, 
at step B), x a (resp. Xb) is defined if and only if £1 (resp. £2) is defined. 

Algorithm 5 (Erasing bad pairs from a seminormal form) 
Signature, w = EraseBadPairs(u). 
Input. A seminormal form u = x^ . . . x% s xj t . . . x~\ 
Output. A word w which is the normal form of u. 

Initialization. Let 5 = 0, Si = 0, <J 2 = 0, wi = 1, and iu 2 = 1. Let m = 
Xi t . . . Xi 3 and U2 = xj^ . . . xj^ be the positive and negative parts of u. Addition- 
ally, we set up two empty stacks Si and 5*2. 
Computations. 

A. Let the current ui — Xi 1 . . . Xi s and U2 — x~^ . . . xj^ . 

B. Let x a be the leftmost letter of u>i, Xb the rightmost letter of W2, and Si 
(i = 1,2) the top element of Si, i.e., the last element that was put there. 
If any of these values does not exist (because, say, Si is empty), then the 
corresponding variable is not defined. 

1) If s > and (t — or i s > j t ), then: 

a) multiply u>i on the left by Xi s (i.e. wi <— Xi 3 Wi); 

b) erase Xi s from ui; 

c) push into Si; 

d) goto 5). 

2) If t > and (s — or jt > i s ), then: 

a) multiply W2 on the right by a;" 1 (i.e. W2 <— W2xJ t 1 ); 

b) erase xj^ from U2; 

c) push into S2; 

d) goto 5). 

3) If i s — jt and (the numbers a — Ei and b — 62 (those that are defined) are 
not equal to i s or i s + 1 ), then: 

a) erase Xi s from Ui; 

b) erase xj^ from U2; 

c) if Si is not empty, increase the top element of Si; 

d) if S2 is not empty, increase the top element of S2; 

e) goto 5). 

4) If l)-3) are not applicable (when i s = jt and (one of the numbers a — si, 
b — £2 is defined and is equal to either i s or i s + 1 )), then: 

a) multiply wi on the left by Xi s (i.e. wi <— Xi s wi); 



b) multiply W2 on the right by xj^ (i.e. wi <— W2xJ t 1 ); 

c) erase Xi s from u\; 

d) erase xj^ from U2; 

e) push into S\; 

f) push into S2; 

g) goto 5). 

5) If u\ or U2 is not empty then goto 1). 

C. While Wi is not empty: 

1) let Xi t be the first letter of w% (i.e. wi = ■ w[); 

2) take (pop) c from the top of S± and add to S\ (i.e. Si <— 5i + c); 

3) multiply u\ on the right by Xi 1 -s 1 (i-e. u\ <— u\Xi 1 -s 1 ); 

4) erase from w\. 

D. While u>2 is not empty: 

1) let xj x be the last letter of W2 (i.e. W2 = w' 2 ■ a;Z ); 

2) take (pop) c from the top of S2 and add to 62 (i.e. <52 < — ^2 + c); 

3) multiply 1*2 on the left by xJ i _ Sa (i.e. U2 *— xj^^^^); 

4) erase xj^ from W2- 

E. Return U\U2- 

Proposition 3. The output of Algorithm^ is the normal form w of a seminor- 
mal form u. The number of operations required for Algorithm^ to terminate is 
bounded by D ■ \u\, where D is a constant independent of u. 

Proof. The first statement follows from Lemma The time estimate is obvious 
from the algorithm since the words iti, «2 are processed letter- by- letter, and no 
letter is processed more than once. 

As a corollary, we get the main result of this section: 

Theorem 1. In Thompson's group F , the normal form of a given word w can 
be computed in time 0{\w\ log \w\). 
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